arXiv:1102.3002v3 [cs.IT] 5 Jun 2011
Secure Multiplex Network Coding
Ryutaroh Matsumoto
Department of Communications and Integrated Systems, Tokyo Instiutte of Technology, 152-8550 Japan
Masahito Hayashi
Graduate School of Information Sciences, Tohoku University, 980-8579 Japan and Centre for Quantum Technologies,
National University of Singapore, 3 Science Drive 2, Singapore 117542
Abstract—In the secure network coding for multicasting, there
is loss of information rate due to inclusion of random bits at the source node. We show a method to eliminate that loss of information rate by using multiple statistically independent messages to be kept secret from an eavesdropper. The proposed scheme is an adaptation of Yamamoto et al.’s secure multiplex coding [14] to the secure network coding [4], [5], [20].
Keywords—information theoretic security, network coding,
se-cure multiplex coding, sese-cure network coding
I. Introduction
Network coding [1] attracts much attention recently be-cause it can offer improvements in several metrics, such as throughput and energy consumption, see [9], [10]. On the other hand, the information theoretic security [16] also attracts much attention because it offers security that does not depend on a conjectured difficulty of some computational problem.
A juncture of the network coding and the information theoretic security is the secure network coding [4], [5], which prevents an eavesdropper, called Eve, from knowing the mes-sage from the legitimate sender, called Alice, to the legitimate receivers by eavesdropping intermediate links up to a specified number in a network. It can be seen [8] as a network coding counterpart of the traditional wiretap channel coding problem considered by Wyner [21] and subsequently others [16]. In both secure network coding and coding for wiretap channels, the secrecy is realized by including random bits statistically independent of the secret message into the transmitted signal by Alice so that the secret message becomes ambiguous to Eve. The inclusion of random bits, of course, decreases the information rate. In order to get rid of the decrease in the information rate, Yamamoto et al. [14] proposed the secure multiplex coding for wiretap channels, in which there is no loss of information rate. The idea of Yamamoto et al. is as follows: Suppose that Alice has T statistically independent messages S1, . . . , ST. Then S1, . . . , Si−1, Si+1, . . . , ST serve as the random bits making Si ambiguous to Eve, for each i. The purpose of this paper is to do the same thing with the secure network coding as Yamamoto et al. [14].
Independently and simultaneously, Bhattad and Narayanan [3] proposed the weakly secure network coding, whose goal is also to get rid of the loss of information rate in the secure network coding. Their method [3] ensures that the mutual information between Si and Eve’s information is zero for each i. As drawbacks, the construction depends on the
network topology and coding at intermediate nodes, and the computational complexity of code construction is large. In order to remove these drawbacks, Silva and Kschischang [19] proposed the universal weakly secure network coding, in which they showed an efficient code construction that can support up to two Fq-symbols in each Siand is independent of the network topology and coding at intermediate nodes. They [19] also showed the existence of universal weakly secure network coding with more than two Fq-symbols in Si, but have not shown an explicit construction.
We shall propose a construction of secure multiplex network coding that is an adaptation of Yamamoto et al.’s idea [14] to the network coding. However, we relax an aspect of the security requirements traditionally used in the secure network coding. In previous proposals of secure network coding [4], [3], [11], [19], [20] it is required that the mutual information to the eavesdropper is exactly zero. We relax this require-ment by regarding sufficiently small mutual information to be acceptable. This relaxation is similar to requiring the bit error rate to be sufficiently small instead of strictly zero. Also observe that our relaxed criterion is much stronger than one commonly used in the information theoretic security [16]. Our construction can realize arbitrary small mutual information if coding over sufficiently many time slots is allowed.
There are several reasonable models of the eavesdropper Eve. In the traditional model used in [4], [5], [11], [19], [20], Eve can arbitrary choose the set of µeavesdropped links after learning the structure of network coding and the set of eaves-dropped links is assumed to be constant during transmission of one coding block. The secure network coding is required to leak no information with every set ofµeavesdropped links. We call this model as the traditional eavesdropping model. We shall show that the proposed scheme is universal secure in Section III-C in the sense of [19], [20] under the traditional eavesdropping model.
However, it is observed in [18] that there is difficulty in implementation over the current Internet architecture to keep the set of eavesdropped links constant even when the set of eavesdropped links is physically constant. Thus, we consider another model of the eavesdropper in which the set of eavesdropped links is statistically distributed independent of the structure of transmitter, the number of eavesdropped links is µ per unit time, and the set of eavesdropped links is allowed to be time-varying. We call this second model as
the statistical eavesdropping model. We shall also show that the mutual information is small averaged over any probability distribution of network coding statistically independent of any other random variables, instead of the mutual information being small with every network coding as done in [4], [5], [11], [19], [20]. Since the network coding is often constructed in the random manner [13], considering the probability distri-bution of network coding and requiring the averaged mutual information being small make sense. We also define a Shannon theoretic capacity region of secure multiplex network coding and show that the proposed construction can achieve that capacity region.
Although Harada and Yamamoto [11] have not explicitly stated, the adaptation of the secure multiplex coding [14] to the secure network coding [4], [5] can be done by their strongly secure network coding [11]. The difference between our proposed scheme and the previous works [3], [11], [19] is as follows:
• The computational complexity of constructing network
coding is huge in [3], [11], while the computational complexity of code construction in the proposed scheme is that of selecting a random nonsingular linear matrix.
• The construction of network coding in [3], [11] depends
on the underlying network topology, while the proposed scheme is independent of it and universal secure in the sense of [19], [20] under the traditional eavesdropping model (see Section III-C).
• The explicit construction of universal weakly secure net-work coding in [19] supports up to two Fq-symbols in each secret message Si and guarantees that the mutual information between each Si and Eve’s information is zero, while the proposed scheme has no limitation on the size of Si and can make the mutual information between any collection (Si: i∈ I) and Eve’s information arbitrary small1 provided that the total information rate of (Si: i∈ I) is not too large relative toµ.
• When the total information rate of (Si : i ∈ I) is large relative to µ, the mutual information to Eve becomes positive, but [3], [19] do not evaluate how large it is nor their smallest possible value. The proposed scheme realizes asymptotically the smallest possible value of mutual information with every collection (Si : i ∈ I) simultaneously, as well as [11].
This paper is organized as follows: Section II reviews related results used in this paper. Section III introduces the strengthened version of the privacy amplification theorem and the proposed scheme for secure network coding, then proves the asymptotic optimality of the latter. Section IV concludes the paper.
II. Preliminary
A. Model of network coding
As in [3], [4], [5], [11], [19], [20] we consider the single source multicast. The network model is either acyclic or cyclic,
1The mutual information turned out to be exactly zero, see Appendix B.
and each link has either no delay or unit delay. We assume the linear network coding [15], and a link carries single Fq symbol per time slot. The linear combination coefficients at each node are fixed so that every legitimate receiver can receive n symbols per time slot from the source. Linear combination coefficients at a node are allowed to change at each time slot except in Section III-C. We shall only consider the eavesdropper Eve and forget about the legitimate receivers. We shall propose a coding method encoding information over m time slots at the source node. Therefore, the source node transmit (m×n) Fq symbols in a single coding block. Eve can eavesdropµlinks per time slot. We assume µ≤n throughout this paper. The total number of eavesdropped links is therefore mµ.
B. Two-universal hash functions
We shall use a family of two-universal hash functions [6] for the privacy amplification theorem introduced later.
Definition 1: LetF be a set of functions from a finite set
S1to another finite setS2, and F the uniform random variable onF. If for any x1,x2∈ S1 we have
Pr[F(x1)=F(x2)]≤ 1
|S2|
,
thenF is said to be a family of two-universal hash functions. III. Construction of secure multiplex network coding
A. Strengthened privacy amplification theorem
In order to evaluate the mutual information to Eve when the rate of secret information is large, we need to strengthen the privacy amplification theorem originally appeared in [2], [12] as follows. The original version of the privacy amplification theorems [2], [12] cannot deduce Eq. (11) while Theorem 2 can.
Theorem 2: Let X and Z be discrete random variables on finite setsX andZ, respectively, andF be a family of two-universal hash functions from X toS. Let F be the uniform random variable on F statistically independent of X and Z. Then we have
Efexp(ρI(F(X); Z|F=f ))≤1+|S|ρE[PX|Z(X|Z)ρ] (1) for all 0 ≤ ρ≤ 1, where I denotes the (conditional) mutual information as defined in [7]. We use the natural logarithm for all the logarithms in this paper, which include ones implicitly appearing in entropy and mutual information. Otherwise we have to adjust the above inequality. Proof will be given in Appendix A.
B. Description of the proposed scheme
We assume that we have T statistically independent and uniformly distributed secret messages, and that the i-th secret message is given as a random variable Si whose realization is a column vector in Fki
q. The sizes ki are determined later. We shall also use a supplementary random message ST+1 taking values in FkT+1
q when the randomness in the encoder is insufficient to make Si secret from Eve. We assume mn=
k1 +· · · +kT+1. Let L be the set of all bijective Fq-linear maps from QTi=+11Fki
q to itself, and αI be the projection from
QT+1 i=1 F ki q to Qi∈IF ki q for ∅ , I ⊆ {1, . . . , T}. In [17] we have shown that the family {αI◦L | L ∈ L} is that of two-universal hash functions for all ∅ , I ⊆ {1, . . . , T}. Let L be the uniform random variable onLstatistically independent of S1, . . . , ST+1, and arbitrary fix nonempty I ⊆ {1, . . . , T}. Define X to be the random variable L−1(S1, . . . , ST, ST+1). The source node sends X to its n outgoing links over m time slots. Our construction just attaches the inverse of a bijective linear function to an existing network coding.
By the assumption on Eve, her information can be ex-pressed as BX by using a µm×mn matrix B over Fq. We regard B as a random variable (matrix) and its probability distribution is denoted by PB. We make no assumption on PB except that the rank of B is at most µm and that B is independent of S1, . . . , ST+1, L and X, which means that Eve does not change B by watching the realization of L. When the random network coding is used and Eve can choose locations of up toµeavesdropping links but cannot choose the linear coefficients of random network coding, the statistical independence assumption on B looks reasonable. From the uniformity assumption on Si, the conditional distribution PX|L is uniform with every realization of L. This means that X and L are statistically independent and PX is uniform. For fixed z, the set {x ∈ Fmn
q | Bx = z} has qmn−rankB vectors. Thus, the conditional distribution PX|BX,L,B(x|z, ℓ,b) is the uniform distribution on the set of qmn−rankb elements with every triple of z, ℓ and b. We have
PX|BX,L,B(x|z,l,b)=PX|BX,B(x|z,b)=q−(mn−rankb). (2) Arbitrary fix nonemptyI ⊆ {1, . . . , T}, denote the collection of random variables (Si: i∈ I) by SI, also fix a realization
b of B, and let kI = Pi∈Iki. Under these notations, we can
upper bound the mutual information I(SI; bX|L) as
Eℓexp(ρI(SI; BX|B=b,L=ℓ)) (3) ≤1+qρkIE[P
X|bX(X|bX)ρ] (by Theorem 2)
=1+qρkIE[(q−(mn−rankb))ρ] (by Eq. (2))
≤1+qρkIq−mρ(n−µ) (because rankb≤µm)
=1+q−mρ(n−µ−kI/m) (4)
for 0≤ρ≤1. One can also see that
EℓρI(SI; BX|B=b,L=ℓ) (5)
log exp(EℓρI(SI; BX|B=b,L=ℓ)) ≤log Eℓexp(ρI(SI; BX|B=b,L=ℓ)) ≤log(1+q−mρ(n−µ−kI/m))
≤q−mρ(n−µ−kI/m) (6)
for 0≤ρ≤1. Averaging Eqs. (3)–(6) over b we have Eb,ℓρI(SI; BX|B=b,L=ℓ)≤q−mρ(n−µ−kI/m), (7) Eb,ℓexp(ρI(SI; BX|B=b,L=ℓ))≤1+q−mρ(n−µ−kI/m). (8)
Fix C1>2×(2T−1). Equation (7) and the Markov inequality yield that
PrLI,1<1/C1
for any single nonempty I ⊆ {1, . . . , T}, where LI,1 := {ℓ|
EbI(SI; BX|B= b,L = ℓ) >C1Eb,ℓI(SI; BX|B = b,L =ℓ)}.
Thus,
Pr∪I:I,∅LI,1<(2T−1)/C1. This means that a realizationℓ of L satisfies
EbI(SI; BX|B=b,L=ℓ) ≤C1Eb,ℓI(SI; BX|B=b,L=ℓ)
≤C1q−mρ(n−µ−kI/m)/ρ (9)
for all the (2T − 1) nonempty subsets I of {1, . . . , T} with probability at least 1−(2T −1)/C1. Defining another subset LI,2 := {ℓ | Ebexp(ρI(SI; BX|B = b,L = ℓ)) >
C1Eb,ℓexp(ρI(SI; BX|B = b,L = ℓ)), by Eq. (8) and the
Markov inequality we obtain
Pr∪I:I,∅(LI,1∪ LI,2)<2(2T−1)/C1. Therefore, a realizationℓ of L satisfies both Eq. (9) and
Ebexp(ρI(SI; BX|B=b,L=ℓ))≤C1(1+q−mρ(n−µ−kI/m)). (10) with probability at least 1−2×(2T−1)/C1.
Equation (10) implies Eb
I(SI; BX|B=b,L=ℓ)
m
= 1
mEblog exp I(SI; BX|B=b,L=ℓ)
≤ 1
mlog Ebexp I(SI; BX|B=b,L=ℓ)
≤log C1 mρ + 1 mρlog(1+q −mρ(n−µ−kI/m)) (by Eq. (10)) ≤1+log C1 mρ +(kI/m−(n−µ)) log q, (11)
for kI/m−(n−µ) ≥ 0, where in Eq. (11) we used log(1+ exp(x))≤1+x for x≥0. Note that Eq. (9) is minimized at
ρ=1, because its partial derivative with respect to ρis
−C1q
−mρ(n−µ−k/m)
ρ2 −
C1m(n−µ−k/m) log(q)q−mρ(n−µ−k/m)
ρ ,
which is negative for all 0 < ρ≤1. By the same reason Eq. (11) is also minimized atρ=1.
Fix C2 with C2 >2×(2T−1). By the same argument as above, we see that for a realizationℓof L satisfying both Eqs. (9) and (11), with probability at least
1−2×(2T−1)/C2, (12)
a realization b of B makes
I(SI; BX|B=b,L=ℓ)
m ≤
1+log C2+log C1 mρ
+(kI/m−(n−µ)) log q. (14) Even when we choose large C2 and C1 and make the probability of b andℓ satisfying Eqs. (13) and (14) large, we can make the upper bound (13) arbitrary small by increasing m. This observation enables us to use a fixed bijective linear function ℓ that is agreed between the legitimate sender and the receivers in advance. The legitimate receiver can apply the agreedℓto the received information in order to restore the original messages Si.
One can easily see that ifρ=1 and kI≤m(n−µ−δI) with δI>0, then the upper bound (13) on the mutual information exponentially converges to zero as m→ ∞. This means that we can transmit (n−µ) Fq-symbols in the i-th secret message per time slot with arbitrary small eavesdropped information when the encoding is allowed to be done over sufficiently many time slots. On the other hand, if m(n−µ)≤kI≤m(RI−δI) with δI>0 and RI>0, then by the upper bound (14) we see the
mutual information per symbol is upper bounded by I(SI; BX|B=b,L=ℓ)
m <RI−(n−µ)
for sufficiently large m. In Section III-D we shall show that the proposed scheme is asymptotically optimal by capacity consideration.
Remark 3: The meanings of C1 and C2 are as follows: At Eqs. (7) and (8), there might not exist a realization ℓ of L that satisfies Eqs. (7) and (8) for all subsets I of {1, . . . , T} simultaneously. By sacrificing the tightness of the upper bounds, we ensure the existence of ℓ satisfying Eqs. (9) and (10). At Eqs. (9) and (10), realizations b of B might satisfy Eqs. (9) and (10) with unacceptably low probability. Again by sacrificing the tightness of the upper bounds, we ensure that the eavesdropping matrix B satisfies Eqs. (13) and (14) with comfortably high probability.
C. Security analysis of the proposed scheme under the tradi-tional eavesdropping model
In the preceding study of secure network coding [4], [5], [11], [19], [20], it is assumed that
• the eavesdropper Eve can choose µ eavesdropped links
per unit time after learning the structure of network coding, and
• the set of eavesdropped links is constant during
transmis-sion of one coding block.
In Section I we called the above assumption as the traditional eavesdropping model. Under the above assumption, the num-ber of possible sets of eavesdropped links is constant, say CE, independent of m. If we take the random variable B according to the uniform distribution on the sets of eavesdropped links and the probability of some event of B is larger than 1−1/CE then that probability must be one. Set C2 in Eq. (12) such that 1−2×(2T−1)/C2 > 1−1/CE, then we can see that Eqs. (13) and (14) hold with every realization of B. In addition to this, the proposed construction of coding does not depend
on the network topology nor coding at intermediate nodes. In that sense, the proposed scheme is universal secure [19], [20] except that the proposed scheme can make the mutual information arbitrary small2, while [19], [20] make the mutual information exactly zero.
D. Capacity consideration of the proposed scheme
Firstly, let us define the achievable rate tuple and the capacity region as in [7].
Definition 4: Suppose that we are given a sequence of
µm×mn random matrices Bm whose distribution PBm has no
restriction except that the rank of Bm is always µm and that Bmis independent of any other random variables. Let embe a stochastic encoder fromQTi=1Fmκi,m
q to Fmnq , dmeither stochastic or deterministic decoder from Fmn
q to
QT i=1F
mκi,m
q , and Si,mthe uniform random variable on Fmκi,m
q , for i=1, . . . , T and m=1, 2, . . . . If lim m→∞Pr[(S1,m, . . . ,ST,m) ,dm(em(S1,m, . . . ,ST,m))]=0, lim sup m→∞ I(SI,m; Bmem(S1,m, . . . ,ST,m)|Bm)/m ≤max 0,−(n−µ)+X i∈I Ri , lim inf m→∞ κi,m≥Ri,
for all nonempty subsets I ⊆ {1, . . . , T}, then the rate tuple (R1, . . . , RT) is said to be achievable for the secure multiplex network coding with T secret messages and up to
µ eavesdropped links per time slots represented by random matrices Bm, where SI,mdenotes the collection (Si,m: i∈ I) of secret messages Si,m. We also define the capacity region of Fq-linear secure multiplex network coding as the closure of such rate tuples (R1, . . . , RT) over all the sequences of encoders and decoders.
Theorem 5: The capacity region Fq-linear secure multiplex network coding is given by rate tuples (R1, . . . , RT) such that
0≤Ri,
T
X
i=1 Ri≤n.
Proof. The fact that every rate tuple given by the above equation is achievable is already proved in the previous section under stronger requirements, namely Pr[(S1,m, . . . , ST,m) , dm(em(S1,m, . . . , ST,m))] = 0 for all m, lim supm→∞
I(SI,m; Bmem(S1,m, . . . , ST,m)|Bm)/m≤max{0,Pi∈IRi−(n−µ)},
and limm→∞ I(SI,m; Bmem(S1,m, . . . , ST,m)|Bm)=0 forIwith
P
i∈IRi < (n−µ). We have to show the so-called converse
part of the coding theorem. Fix an arbitrary nonempty subset
I ⊆ {1, . . . , T}and a sequence of random matrices Bm, and suppose that we have a sequence of stochastic encoders as defined in Definition 4 with
lim inf m→∞ X i∈I κi,m≥ X i∈I Ri+δ (15)
2The mutual information turned out to be exactly zero and our scheme is
forδ >0 and suppose also that lim sup m→∞ I(SI,m; Bmem(S1,m, . . . ,ST,m)|Bm)/m ≤max 0,X i∈I Ri−(n−µ) . (16)
By Eq. (16) there exists a sequence of µm×mn matrices bm such that lim sup m→∞ I(SI,m; bmem(S1,m, . . . ,ST,m))/m ≤lim sup m→∞ I(SI,m; Bmem(S1,m, . . . ,ST,m)|Bm)/m ≤max 0,X i∈I Ri−(n−µ) . (17)
For every m, define am to be an µm×µm matrix and cm to be an mn×mn matrix such that ambmcm is a matrix of the horizontal concatenation of the µm×µm identity matrix and the zero matrix. By Eq. (17) and the data processing inequality we have lim sup m→∞ I(SI,m; ambmcmem(S1,m, . . . ,ST,m))/m ≤max 0,X i∈I Ri−(n−µ) . (18)
Define Xm(1) as the firstµm components in the random vector em(S1,m, . . . , ST,m), and X
(2)
m as the remaining components in em(S1,m, . . . , ST,m). We have H(SI,m|em(S1,m, . . . ,ST,m)) =H(SI,m|Xm(1),X (2) m ) =H(SI,m)−I(SI,m; Xm(1),X (2) m) =H(SI,m)−I(SI,m; Xm(1))−I(SI,m; X(2)m|X (1)
m) (by the chain rule)
=H(SI,m)−I(SI,m; ambmcmem(S1,m, . . . ,ST,m))
−I(SI,m; Xm(2)|X (1) m )
≥H(SI,m)−I(SI,m; bmem(S1,m, . . . ,ST,m))−I(SI,m; Xm(2)|X (1) m)
≥H(SI,m)−I(SI,m; bmem(S1,m, . . . ,ST,m))−H(Xm(2))
≥mX i∈I
κi,mlog q−I(SI,m; bmem(S1,m, . . . ,ST,m))
−m(n−µ) log q ≥mhX i∈I κi,m−n+µ log q−I(SI,m; bmem(S1,m, . . . ,ST,m))/m i ≥mhX i∈I κi,m−n+µ log q −I(SI,m; Bmem(S1,m, . . . ,ST,m)|Bm)/m i ,
where H denotes the (conditional) entropy as defined in [7]. By abuse of notation, re-define αI to be the projection from
QT i=1F
ki
q toQi∈IF
ki
q for∅,I ⊆ {1, . . . , T}. By using Fano’s inequality [7, Theorem 2.10.1] Pr[(S1,m, . . . ,ST,m),dm(em(S1,m, . . . ,ST,m))] ≥Pr[SI,m,αI(dm(em(S1,m, . . . ,ST,m)))] ≥ H(SI,m|em(S1,m, . . . ,ST,m))−1 log|Qi∈IF mκi,m q | ≥ P 1 i∈Iκi,mlog q " X i∈I κi,m−n+µ log q − 1 m− I(SI,m; Bmem(S1,m, . . . ,ST,m)|Bm) m # . (19)
By Eqs. (15), (16) and (19) we can see that
lim supm→∞Pr[(S1,m, . . . , ST,m) , dm(em(S1,m, . . . , ST,m))]
≥ δ/(δ+Pi∈IRi) > 0. This shows that the limit of mutual information I(SI,m; Bmem(S1,m, . . . , ST,m)|Bm)/n cannot be lower than Pi∈IRi − (n − µ) while keeping the sum of
information ratesPi∈Iκi strictly larger than Pi∈IRi.
IV. Conclusion
In the secure network coding, there was loss of information rate due to inclusion of random bits at the source node. In this paper, we have shown that a method to eliminate that loss of information rate by using multiple statistically independent messages to be kept secret from an eavesdropper, and called the proposed scheme secure multiplex network coding. The proposed scheme is an adaptation of Yamamoto et al.’s secure multiplex coding [14] to the secure network coding [4], [5], [20].
Acknowledgment
The authors thank anonymous reviewers of NetCod 2011 for carefully reading the initial manuscript and pointing out its shortcomings. The first author would like to thank Prof. Hiro-suke Yamamoto to teach him the secure multiplex coding, Dr. Shun Watanabe to point out the relation between the proposed scheme and [11], Mr. Jun Kurihara to point out the relation between the proposed scheme and [19], Dr. Jun Muramatsu and Prof. Tomohiro Ogawa for the helpful discussion on the universal coding. A part of this research was done during the first author’s stay at the Institute of Network Coding, the Chinese University of Hong Kong, and he greatly appreciates the hospitality by Prof. Raymond Yeung. This research was partially supported by the MEXT Grant-in-Aid for Young Scientists (A) No. 20686026 and (B) No. 22760267, and Grant-in-Aid for Scientific Research (A) No. 23246071. The Center for Quantum Technologies is funded by the Singapore Ministry of Education and the National Research Foundation as part of the Research Centres of Excellence programme.
AppendixA
Proof ofTheorem2
In order to show Theorem 2, we introduce the following lemma.
Lemma 6: Under the same assumption as Theorem 2, we have
Efexp(−ρH(F(X); Z|F= f ))≤ |S|−ρ+E[PX|Z(X|Z)ρ] (20) for 0≤ρ≤1.
Proof of Theorem 2.
=Efexp(ρH(F(X)|F= f )−ρH(F(X); Z|F= f ))
≤Ef|S|ρexp(−ρH(F(X); Z|F= f ))
≤Ef|S|ρ(|S|−ρ+E[PX|Z(X|Z)ρ]) (by Eq. (20))
=1+|S|ρE[PX|Z(X|Z)ρ]
Proof of Lemma 6. Fix z ∈ Z. The concavity of xρ for 0≤ ρ≤1 implies Ef X s∈S Pf (X)|Z(s|z)1+ρ =X x∈X PX|Z(x|z)Ef X x′∈f−1(x) PX|Z(x′|z) ρ ≤X x∈X PX|Z(x|z) Ef X x′∈f−1(x) PX|Z(x′|z) | {z } (∗) ρ . (21)
Since f is chosen from a family of two-universal hash func-tions defined in Definition 1, we have
(∗)≤PX|Z(x|z)+ X x,x′∈X PX|Z(x′|z) |S| ≤PX|Z(x|z)+|S|−1.
Since any two positive numbers x and y satisfy (x+y)ρ≤xρ+yρ
for 0≤ρ≤1, we have
(PX|Z(x|z)+|S|−1)ρ≤PX|Z(x|z)ρ+|S|−ρ. (22) By Eqs. (21) and (22) we can see
Ef X s∈S Pf (X)|Z(s|z)1+ρ≤ X x∈X PX|Z(x|z)1+ρ+|S|−ρ. Taking the average over Z of the both sides of the last equation, we have
EfEXZPf (X)|Z( f (X)|Z)ρ≤EXZPX|Z(X|Z)ρ+|S|−ρ. (23) Define g(ρ)=EXZPf (X)|Z( f (X)|Z)ρas a function ofρwith fixed
f and PXZ, and h(ρ)=log g(ρ). We have
g′(ρ)=EXZPf (X)|Z( f (X)|Z)ρlog Pf (X)|Z( f (X)|Z), g′′(ρ)=EXZPf (X)|Z( f (X)|Z)ρ(log Pf (X)|Z( f (X)|Z))2, h′(ρ)=g′(ρ)/g(ρ), h′′(ρ)= g ′′(ρ)g(ρ)−[g′(ρ)]2 g(ρ)2 .
Define (X′, Z′) to be the random variables that have the same joint distribution as (X,Z) and statistically independent of X and Z. To examine the sign of h′′(ρ) we compute
g′′(ρ)g(ρ)−[g′(ρ)]2
=EXZX′Z′Pf (X)Z( f (X),Z)ρPf (X)Z( f (X′),Z′)ρ
[(log Pf (X)|Z( f (X)|Z))2−log Pf (X)|Z(X|Z) log Pf (X)|Z(X′|Z′)]
=1 2EXZX′Z′Pf (X)Z( f (X),Z) ρPf (X)Z( f (X′ ),Z′)ρ [(log Pf (X)|Z( f (X)|Z))2+(log Pf (X)|Z( f (X′)|Z′))2 −2 log Pf (X)|Z( f (X)|Z) log Pf (X)|Z( f (X′)|Z′)] = 1 2EXZX′Z′Pf (X)Z( f (X),Z) ρP f (X)Z( f (X′),Z′)ρ [log Pf (X)|Z( f (X)|Z)−log Pf (X)|Z( f (X′)|Z′)]2 ≥0.
This means that h′′(ρ)≥0 and h(ρ) is convex. We can see EXZPf (X)|Z( f (X)|Z)ρ=exp(h(ρ)) ≥exp( h(0) |{z} =0 +ρh′(0)) =exp(−ρH( f (X)|Z)). (24) By Eqs. (23) and (24) we see that Eq. (20) holds.
References
[1] R. Ahlswede, N. Cai, S.-Y. R. Li, and R. W. Yeung, “Network informa-tion flow,” IEEE Trans. Inform. Theory, vol. 46, no. 4, pp. 1204–1206, Jul. 2000.
[2] C. H. Bennett, G. Brassard, C. Crépeau, and U. M. Maurer, “Generalized privacy amplification,” IEEE Trans. Inform. Theory, vol. 41, no. 6, pp. 1915–1923, Nov. 1995.
[3] K. Bhattad and K. R. Narayanan, “Weakly secure network coding,” in
Proc. NetCod 2005, Riva del Garda, Italy, Apr. 2005.
[4] N. Cai and R. W. Yeung, “Secure network coding,” in Proc. ISIT 2002, Lausanne, Switzerland, Jul. 2002, p. 323.
[5] ——, “Secure network coding on a wiretap network,” IEEE Trans.
Inform. Theory, vol. 57, no. 1, pp. 424–435, Jan. 2011.
[6] J. L. Carter and M. N. Wegman, “Universal classes of hash functions,”
J. Comput. System Sci., vol. 18, no. 2, pp. 143–154, Apr. 1979.
[7] T. M. Cover and J. A. Thomas, Elements of Information Theory, 2nd ed. Wiley Interscience, 2006.
[8] S. Y. El Rouayheb and E. Soljanin, “On wiretap networks II,” in Proc.
ISIT 2007, Nice, France, Jun. 2007, pp. 551–555.
[9] C. Fragouli and E. Soljanin, Network Coding Applications. NOW
Publishers, 2007.
[10] ——, Network Coding Fundamentals. NOW Publishers, 2007.
[11] K. Harada and H. Yamamoto, “Strongly secure linear network coding,”
IEICE Trans. Fundamentals, vol. E91-A, no. 10, pp. 2720–2728, Oct.
2008.
[12] M. Hayashi, “Exponential decreasing rate of leaked information in universal random privacy amplification,” IEEE Trans. Inform. Theory, vol. 57, no. 6, pp. 3989–4001, Jun. 2011.
[13] T. Ho, M. Medard, R. Koetter, D. R. Karger, M. Effros, J. Shi, and
B. Leong, “A random linear network coding approach to multicast,”
IEEE Trans. Inform. Theory, vol. 52, no. 10, pp. 4413–4430, Oct. 2006.
[14] D. Kobayashi, H. Yamamoto, and T. Ogawa, “How to attain the ordinary channel capacity securely in wiretap channels,” in Proc. 2005 IEEE
Information Theory Workshop on Theory and Practice in Information-Theoretic Security, Oct. 2005, pp. 13–18, arXiv:cs/0509047.
[15] S.-Y. R. Li, R. W. Yeung, and N. Cai, “Linear network coding,” IEEE
Trans. Inform. Theory, vol. 49, no. 2, pp. 371–381, Feb. 2003.
[16] Y. Liang, H. V. Poor, and S. Shamai (Shitz), Information Theoretic
Security. Hanover, MA, USA: NOW Publishers, 2009.
[17] R. Matsumoto and M. Hayashi, “Secure multiplex coding with a common message,” in Proc. ISIT 2011, Saint-Petersburg, Russia, Jul. 2011, to appear, arXiv:1101.4036.
[18] E. Shioji, R. Matsumoto, and T. Uyematsu, “Vulnerability of MRD-code-based universal secure network coding against stronger eavesdroppers,”
IEICE Trans. Fundamentals, vol. E93-A, no. 11, pp. 2026–2033, Nov.
2010.
[19] D. Silva and F. R. Kschischang, “Universal weakly secure network coding,” in Proc. ITW 2009, Volos, Greece, Jun. 2009, pp. 281–285. [20] ——, “Universal secure network coding via rank-metric codes,” IEEE
Trans. Inform. Theory, vol. 57, no. 2, pp. 1124–1135, Feb. 2011.
[21] A. D. Wyner, “The wire-tap channel,” Bell System Tech. J., vol. 54, no. 8, pp. 1355–1387, Oct. 1975.
AppendixB
Notes added after publication
This appendix is a note after submission of the final version to Proc. NetCod 2011. In Section III-C we claimed that the mutual information to Eve can be arbitrary small. This means that the mutual information can be made exactly zero for every eavesdropping matrix b. The reason is as follows: For fixed b andℓ, we have
I(SI; BX|B=b,L=ℓ)=H(SI|B=b,L=ℓ)−H(SI|bX,L=ℓ).
(25) The first term H(SI|B = b,L =ℓ) is an integer multiple of
log q since SIis assumed to have the uniform distribution. For
fixed b and ℓ, we have bX=bℓ−1(S1, . . . , ST+1). For a given realization bx of bX, the set of solutions s such that bx=bℓ−1s is written as ker(bℓ−1)+ some vector v. This means that the set of possible candidates of SI given realization bx of bX
is written as αI(ker(bℓ−1))+αI(v), and SI given realization
bx is uniformly distributed on αI(ker(bℓ−1))+αI(v). Since the cardinality of αI(ker(bℓ−1))+αI(v) is independent of X for fixed b and ℓ, the second term H(SI|bX,L = ℓ) is also an integer multiple of log q. Therefore, if Eq. (13) holds for every B as verified in Section III-C and the RHS of Eq. (13) is <log q, then the LHS of Eq. (13) must be zero.
In Section I we overlooked the relevant research result by Cai (“Valuable messages and random outputs of channels in linear network coding,” Proc. ISIT 2009, Seoul, Korea, Jun. 2009, pp. 413–417). Cai proved that random linear network coding gives the strongly secure network coding in the sense of [11] with arbitrarily high probability with sufficiently large finite fields. The advantages of the present result over Cai’s result are (1) we do not have to change encoding at intermediate nodes, (2) our construction is universal secure in the sense of [19], [20], and (3) much smaller finite fields can be used than Cai’s result.
